Abstract
This paper elaborates HCI (Human-Computer Interaction) requirements for making cloud data protection tools comprehensible and trustworthy. The requirements and corresponding user interface design principles are derived from our research and review work conducted to address in particular the following HCI challenges: How can the users be guided to better comprehend the flow and traces of data on the Internet and in the cloud? How can individual end users be supported to do better informed decisions on how their data can be used by cloud providers or others? How can the legal privacy principle of transparency and accountability be enforced by the user interfaces of cloud inspection tools? How can the user interfaces help users to reassess their trust/distrust in services? The research methods that we have used comprise stakeholder workshops, focus groups, controlled experiments, usability tests as well as literature and law reviews. The derived requirements and principles are grouped into the following functional categories: (1) ex-ante transparency, (2) exercising data subject rights, (3) obtaining consent, (4) privacy preference management, (5) privacy policy management, (6) ex-post transparency, (7) audit configuration, (8) access control management, and (9) privacy risk assessment. This broad categorization makes our results accessible and applicable for any developer within the field of usable privacy and transparency-enhancing technologies for cloud service chains.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
A ‘data subject’ is a natural person about whom personal data are processed.
- 2.
Under Article 29 of the Data Protection Directive, a Working Party on the Protection of Individuals with regard to the Processing of Personal Data is established, made up of the Data Protection Commissioners from the Member States together with a representative of the European Commission. The Working Party is independent and acts in an advisory capacity. The Working Party seeks to harmonize the application of data protection rules throughout the EU, and publishes opinions and recommendations on various data protection topics.
- 3.
References
Angulo, J., Fischer-Hübner, S., Pettersson, J.S.: General HCI principles and guidelines for accountability and transparency in the cloud. A4Cloud Deliverable D:C-7.1, September 2013 (2013)
Pearson, S., Tountopoulos, V., Catteddu, D., Sudholt, M., Molva, R., Reich, C., Fischer-Hübner, S., Millard, C., Lotz, V., Jaatun, M.G.: Accountability for cloud and other future Internet services. In IEEE 4th International Conference on Cloud Computing Technology and Science (CloudCom), 2012. IEEE (2012)
Hildebrandt, M.: Behavioural biometric profiling and transparency enhancing tools. FIDIS Deliverable D7.12, March 2005. FIDIS EU project (2009)
Fischer-Hübner, S., Angulo, J., Pulls, T.: How can cloud users be supported in deciding on, tracking and controlling how their data are used? In: Hansen, M., Hoepman, J.-H., Leenes, R., Whitehouse, D. (eds.) Privacy and Identity 2013. IFIP AICT, vol. 421, pp. 77–92. Springer, Heidelberg (2014)
Angulo, J., Wästlund, E., Högberg, J.: What would it take for you to tell your secrets to a cloud? - studying decision factors when disclosing information to cloud services. In: Bernsmed, K., Fischer-Hübner, S. (eds.) NordSec 2014. LNCS, vol. 8788, pp. 129–145. Springer, Heidelberg (2014)
Beckerle, M., Martucci, L.A.: Formal definitions for usable access control rule sets from goals to metrics. In: Proceedings of the Ninth Symposium on Usable Privacy and Security (SOUPS 2013), New Castle, UK, 24–26 July. ACM (2013)
Whitten, A., Tygar, J.D.: Why Johnny can’t encrypt: a usability evaluation of PGP 5.0. In: The Proceedings of the 8th USENIX Security Symposium (1999)
Nielsen, J.: Usability inspection methods. In: Conference Companion on Human Factors in Computing Systems. ACM (1995)
Johnston, J., Eloff, J.H., Labuschagne, L.: Security and human computer interfaces. Comput. Secur. 22(8), 675–684 (2003)
Yee, K.: Aligning security and usability. IEEE Secur. Priv. 2(5), 48–55 (2004)
Garfinkel, S.: Design principles and patterns for computer systems that are simultaneously secure and usable. Massachusetts Institute of Technology (2005)
Dhamija, R., Dusseault, L.: The seven flaws of identity management: usability and security challenges. IEEE Secur. Priv. 6(2), 24–29 (2008)
Patrick, A.S., Kenny, S.: From privacy legislation to interface design: implementing information privacy in human-computer interactions. In: Dingledine, R. (ed.) PET 2003. LNCS, vol. 2760, pp. 107–124. Springer, Heidelberg (2003)
Patrick, A.S., Kenny, S., Holmes, C., van Breukelen, M.: Human computer interaction. In: van Blarkom, G.W., Borking, J.J., Olk, J.G.E. (eds.) Handbook of Privacy and Privacy-Enhancing Technologies: The Case of Intelligent Software Agents, pp. 249–290. College Bescherming Persoonsgegevens, Den Haag (2003)
European Commission: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Office Journal L. 281. 23.11.1995 (1995)
Art. 29 Data Protection Working Party: Opinion 10/2004 on More Harmonised Information Provisions, 25 November 2004. European Commission (2004)
Pettersson, J.S.: HCI Guidelines. PRIME Deliverable D06.1.f. Final Version. PRIME project (2008)
International Standard Organization (ISO): Ergonomic requirements for office work with visual display terminals (VDTs)-Part 11: guidance on usability-Part 11 (ISO 9241-11:1998) (1998)
Pettersson, J.S., Fischer-Hübner, S., Danielsson, N., Nilsson, J., Bergmann, M., Clauss, S., Kriegelstein, T., Krasemann, H.: Making PRIME usable. In: Proceedings of the 2005 Symposium on Usable Privacy and Security (SOUPS 2005), Pittsburg, PA, USA. ACM (2005)
Graf, C., Hochleitner, C., Wolkerstorfer, P., Angulo, J., Fischer-Hübner, S., Wästlund, E., Hansen, M., Holtz, L.: Towards Usable Privacy Enhancing Technologies: Lessons Learned from the PrimeLife Project. PrimeLife Deliverable D4.1.6. PrimeLife (2011)
Wästlund, E., Wolkerstorfer, P., Köffel, C.: PET-USES: privacy-enhancing technology – users’ self-estimation scale. In: Bezzi, M., Duquenoy, P., Fischer-Hübner, S., Hansen, M., Zhang, G. (eds.) IFIP AICT 320. IFIP AICT, vol. 320, pp. 266–274. Springer, Heidelberg (2010)
Alexander, C., Ishikawa, S., Silverstein, M.: Pattern Languages. Center for Environmental Structure. Oxford University Press, New York (1977)
PrimeLife WP4.1: HCI Pattern Collection – Version 2. In: Fischer-Hübner, S., Köffel, C., Pettersson, J., Wästlund, E., Zwingelberg, H. (eds.) PrimeLife Deliverable D4.1.3. PrimeLife (2010). http://www.primelife.eu/results/documents
ECC-Net: Trust marks report 2013: “Can I trust the trust mark?”. The European Consumer Centres, Network (2013). www.konsumenteuropa.se/PageFiles/159275/Trust%20Mark%20Report%202013.pdf
ENISA: On the security, privacy, and usability of online seals. An overview Version December 2013. European Union Agency for Network and Information Security (2013). www.enisa.europa.eu
Spiekermann, S., Grossklags, J., Berendt, B.: E-privacy in 2nd generation e-commerce: privacy preferences versus actual behavior. In: Proceedings of the 3rd ACM Conference on Electronic Commerce, Tampa, Florida, USA. ACM (2001)
Gross, R., Acquisti, A.: Information revelation and privacy in online social networks. In: Proceedings of the 2005 ACM Workshop on Privacy in the Electronic Society, Pittsburg, PA, USA. ACM (2005)
European Commission: Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). COM (2012) 11 Final. Brussels, 25.1.2012 (2012)
International Standard Organization (ISO): 25010-2011. Systems and software engineering – Systems and software Quality Requirements and Evaluation (SQuaRE) – System and software quality models (2011)
International Standard Organization (ISO): 9241-210: 2009. Ergonomics of human system interaction-Part 210: Human-centred design for interactive systems (formerly known as 13407) (2010)
Wästlund, E., Angulo, J., Fischer-Hübner, S.: Evoking comprehensive mental models of anonymous credentials. In: Camenisch, J., Kesdogan, D. (eds.) iNetSec 2011. LNCS, vol. 7039, pp. 1–14. Springer, Heidelberg (2012)
Maguire, M., Bevan, N.: User requirements analysis. In: Hammond, J., Gross, T., Wesson, J. (eds.) Usability. IFIP — The International Federation for Information Processing, vol. 99, pp. 133–148. Springer, New York (2002)
Owen, H.: Open Space Technology: A User’s Guide. Berrett-Koehler Publishers, San Francisco (2008)
Brown, J., Isaacs, D.: The World Café: Shaping Our Futures Through Conversations that Matter. Berrett-Koehler Publishers, San Francisco (2005)
Bernard, H.R.: Research Methods in Cultural Anthropology. Sage, Newbury Park (1988)
Brandimarte, L., Acquisti, A., Loewenstein, G.: Misplaced confidences: privacy and the control paradox. Social Psychological and Personality Science 4(3), 340–347 (2012). SAGE Publications
Hoadley, C.M., Xu, H., Lee, J.J., Rosson, M.B.: Privacy as information access and illusory control: The case of the Facebook News Feed privacy outcry. Electron. Commer. Res. Appl. 9(1), 50–60 (2010)
Ion, I., Sachdeva, N., Kumaraguru, P., Capkun, S.: Home is safer than the cloud!: privacy concerns for consumer cloud storage. In: Proceedings of the Seventh Symposium on Usable Privacy and Security, Pittsburg, PA, USA, p. 13:1. ACM (2011)
Langer, E.J.: The illusion of control. J. Pers. Soc. Psychol. 32(2), 311 (1975)
Marshall, C., Tang, J.C.: That syncing feeling: early user experiences with the cloud. In: Proceedings of the Designing Interactive Systems Conference. ACM (2012)
Tversky, A., Kahneman, D.: The framing of decisions and the psychology of choice. In: Wright, G. (ed.) Behavioral Decision Making, pp. 25–41. Springer, New York (1985)
Xu, H.: The effects of self-construal and perceived control on privacy concerns. In: Proceedings of the 28th Annual International Conference on Information Systems (ICIS 2007) (2007)
Jaspers, M.W.M., Steen, T., van den Bos, C., Geenen, M.: The think aloud method: a guide to user interface design. Int. J. Med. Inform. 73(11–12), 781–795 (2004)
Rubin, J., Chisnell, D.: Handbook of Usability Testing: How to Plan, Design, and Conduct Effective Tests. Wiley Publ., Indianapolis (2008)
Pettersson, J.S., Fischer-Hübner, S., Bergmann, M.: Outlining “Data Track”: privacy-friendly data maintenance for end-users. In: Wojtkowski, W., Wojtkowski, W.G., Zupancic, J., Magyar, G., Knapp, G. (eds.) Advances in Information Systems Development, pp. 215–226. Springer, New York (2007)
Wästlund, E., Fischer-Hübner, S.: End User Transparency Tools: UI Prototypes. PrimeLife Deliverable D.4.2.2. PrimeLife project (2010)
Pulls, T.: Privacy-friendly cloud storage for the data track. In: Jøsang, A., Carlsson, B. (eds.) NordSec 2012. LNCS, vol. 7617, pp. 231–246. Springer, Heidelberg (2012)
Freeman, L.C.: Visualizing social networks. J. Soc. Struct. 1(1), 4 (2000)
Becker, R.A., Eick, S.G., Wilks, A.R.: Visualizing network data. IEEE Trans. Vis. Comput. Graph. 1(1), 16–28 (1995)
Kani-Zabihi, E., Helmhout, M.: Increasing service users’ privacy awareness by introducing on-line interactive privacy features. In: Laud, P. (ed.) NordSec 2011. LNCS, vol. 7161, pp. 131–148. Springer, Heidelberg (2012)
Kolter, J., Netter, M., Pernul, G.: Visualizing past personal data disclosures. In: ARES 2010 International Conference on Availability, Reliability, and Security, 2010, p. 131. IEEE (2010)
Art. 29 Data Protection Working Party (2012). Opinion 5/2012 on Cloud Computing. European Commission, 1 July 2012
Art. 29 Data Protection Working Party (2010). Opinion 1/2010 on the concepts of “controller” and “processor”. European Commission, 16 February 2010
O’Neill, O.: A Question of Trust. CUP, Cambridge (2002)
Wamala, C.: Does IT count?: complexities between access to and use of information technologies among Uganda’s farmers. Luleå Tekniska universitet, Luleå (2010)
Lacohée, H., Crane, S., Phippen, A.: Trustguide: Final report. Trustguide, October 2006 (2006)
Angulo, J., Fischer-Hübner, S., Wästlund, E., Pulls, T.: Towards usable privacy policy display and management. Inf. Manag. Comput. Secur. 20(1), 4–17 (2012)
Andersson, C., Camenisch, J., Crane, S., Fischer-Hübner, S., Leenes, R., Pearson, S., Pettersson, J.S., Sommer, D.: Trust in PRIME. In: Proceedings of the Fifth IEEE International Symposium on Signal Processing and Information Technology. IEEE (2005)
Tsai, J.Y., Kelley, P., Drielsma, P., Cranor, L.F., Hong, J., Sadeh, N.: Who’s viewed you?: the impact of feedback in a mobile location-sharing application. In: CHI 2009 Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, ACM (2009)
Shin, D.: User centric cloud service model in public sectors: policy implications of cloud services. Gov. Inf. Q. 30, 194–203 (2013)
Pearson, S.: Privacy, security and trust in cloud computing. In: Pearson, S., Yee, G. (eds.) Privacy and Security for Cloud Computing, pp. 3–42. Springer, London (2013)
Voida, A., Olson, J.S., Olson, G.M.: Turbulence in the clouds: challenges of cloud-based information work. In: CHI 2013 Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, ACM (2013)
Joinson, A.N., Reips, U.-D., Buchanan, T., Paine Schfield, C.B.: Privacy, trust, and self-disclosure online. Hum.-Comput. Interact. 25(1), 1–24 (2013)
Acknowledgements
This work has in part been financed by the European Commission, grant FP7-ICT-2011-8-317550-A4CLOUD.
We thank project co-workers that have contributed to the research with the help of whom these requirements were derived, especially Erik Wästlund, Leonardo Martucci, and Tobias Pulls. Besides, we thank W Kuan Hon from Queen Mary University London for very helpful comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Fischer-Hübner, S., Pettersson, J.S., Angulo, J. (2015). HCI Requirements for Transparency and Accountability Tools for Cloud Service Chains. In: Felici, M., Fernández-Gago, C. (eds) Accountability and Security in the Cloud. A4Cloud 2014. Lecture Notes in Computer Science(), vol 8937. Springer, Cham. https://doi.org/10.1007/978-3-319-17199-9_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-17199-9_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-17198-2
Online ISBN: 978-3-319-17199-9
eBook Packages: Computer ScienceComputer Science (R0)